Snort mailing list archives
Re: [Emerging-Sigs] Reliability of signatures
From: Jim Hranicky <jfh () ufl edu>
Date: Fri, 4 Feb 2011 14:43:05 -0500
On Fri, 4 Feb 2011 14:01:05 -0500 Matthew Jonkman <jonkman () emergingthreatspro com> wrote:
I agree on the difference between just logging hits and having true FP and TP ratings. But even a false positive can be different on the same packet in different organizations. Many folks mark a hit a false positive because it's just not of interest, vs nt hitting on what it's supposed to be looking for.
I guess there'd need to be guidelines for what constitutes a false, like "did the rule detect what it was intended to detect" . If you're not interested, ideally you wouldn't use and/or report on the rule. Instead of a straight up/down vote, we could do this: [ ] Works as intended [ ] False Positive [ ] False Negative (I think others have said something similar in this threat) Sometimes a rule is very useful but has a small number of falses. Something 95% effective at detecting say a Zeus infection is something I'd include in my ruleset (hey, that's what I do now!) While we're wildly throwing ideas out, it seems that including the payload could be useful for the rule author in tuning the sig whether false or not. On the other hand, that would likely make for a complicated system, so perhaps tuning could be left to the mailing lists. -- Jim Hranicky IT Security Engineer Office of Information Security and Compliance University of Florida ------------------------------------------------------------------------------ The modern datacenter depends on network connectivity to access resources and provide services. The best practices for maximizing a physical server's connectivity to a physical network are well understood - see how these rules translate into the virtual world? http://p.sf.net/sfu/oracle-sfdevnlfb _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Reliability of signatures, (continued)
- Re: Reliability of signatures Nigel Houghton (Feb 04)
- Re: Reliability of signatures Martin Holste (Feb 04)
- Re: Reliability of signatures Nigel Houghton (Feb 04)
- Re: Reliability of signatures Martin Holste (Feb 04)
- Re: Reliability of signatures Nigel Houghton (Feb 04)
- Re: Reliability of signatures Joel Esler (Feb 04)
- Re: Reliability of signatures Martin Holste (Feb 04)
- Re: Reliability of signatures beenph (Feb 04)
- Re: Reliability of signatures Martin Holste (Feb 04)
- Re: Reliability of signatures Matthew Jonkman (Feb 04)
- Re: [Emerging-Sigs] Reliability of signatures Jim Hranicky (Feb 04)
- Re: Reliability of signatures Martin Holste (Feb 04)
- Re: Reliability of signatures waldo kitty (Feb 04)
- Re: [Emerging-Sigs] Reliability of signatures Michael Stone (Feb 10)
- Re: [Emerging-Sigs] Reliability of signatures Michael Scheidell (Feb 10)
- Re: [Emerging-Sigs] Reliability of signatures Matt Olney (Feb 10)
- Re: [Emerging-Sigs] Reliability of signatures Michael Scheidell (Feb 10)
- Re: [Emerging-Sigs] Reliability of signatures Matt Olney (Feb 10)
- Re: [Emerging-Sigs] Reliability of signatures Michael Scheidell (Feb 10)
- Re: [Emerging-Sigs] Reliability of signatures Matthew Jonkman (Feb 10)
- Re: [Emerging-Sigs] Reliability of signatures Jacob Kitchel (Feb 11)